The previous update for php5, DSA-3074-1, introduced regression in thesessionclean cron script. The change was intended to fix a potentialsymlink attack using filenames including the NULL character (Debian bug#766147), but depended on sed package version too recent, not in Wheezy.

This update reverts the fix, so people are advised to keep kernelsymlink protection (sysctl fs.protected_symlinks=1) enabled as it is bydefault on Wheezy, which is enough to prevent successful exploitation.

For the stable distribution (wheezy), this problem has been fixed inversion 5.4.35-0+deb7u2.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/